« Previous 1 2 3 4 Next »
Discovering indicators of compromise
Reconnaissance
Process Monitor
Following Locard's Exchange Principle that attackers always leave something behind, it's only logical that when investigating a Windows system, you look for system processes that have been spawned. For that, I've always found that Process Monitor (Figure 1) is a terrific tool for tracking unknown activity on any Windows system, no matter how new or old. Useful features include the ability to identify and trace sub-processes, as well as filter the many thousands of processes running on any particular Windows host. You can download Process Monitor directly from Microsoft [6].
Figure 1: Process Monitor.
The following general principle is true: The more powerful the machine, the more powerful the potential shell or process. That's why Process Monitor is so useful. It allows me to investigate processes that have been spawned and tracks those processes right up the execution tree to the kernel. It also allows me to see whether these processes lead to a socket, which is where an IP address has been mapped to a port.
Wireshark: The Analyst's Best Friend
Wireshark is in many ways the best friend of a security analyst. Although I might be overstating this, because system logs and process logs are also vital for any analyst, if you really want to get into what's happening on the network, Wireshark is terrific. Once again, you can't simply expect an IDS such as Snort, Bro, SolarWinds, or Suricata to do this work for you. Wireshark is freely available online [7] and is preinstalled on many Linux operating systems.
Analyzing an Attack
A month or so ago, I was working with a security analyst who monitors Fortune 500 banks, as well as large oil companies. He showed me how many of these organizations still use older Windows and Linux systems to provide essential banking services and control physical systems, such as oil pipelines. I've had other security analysts confirm that many healthcare, manufacturing, and retail point of sale systems use older Windows hosts, so I thought I'd demonstrate how a security analyst identifies IoCs on these systems.
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Improved defense through pen testing
Discover indicators of compromise with open source pen testing tools. - LemonDuck Cryptomining Malware is Targeting Linux Systems
-
Credential harvesting at the network interstice
To thwart credential harvesters at the network interstice, you must understand how attackers exploit browser transactions. -
Preparing for cyberattacks
The possibility of a ransomware attack means it is essential to prepare for cyberattacks by putting defense mechanisms and contingency plans in place. -
Detecting and analyzing man-in-the-middle attacks
Wireshark and a combination of tools comprehensively analyze your security architecture.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
